This blog is about the Linux Command Line Interface (CLI), with an occasional foray into GUI territory.
Instead of just giving you information like some man page, I hope to illustrate each command in real-life scenarios.

Search This Blog

Tuesday, December 18, 2007

The basic Linux permission model lets you specify permissions for the file's owner and group, and all others. This article assumes that you are familiar with the basic permissions, and know how to set them. The Access Control List (ACL) feature extends the model to allow much finer control: you can specify permissions for each individual user and group defined in your system.

Consider this scenario: your server supports multiple office departments: Sales, Marketing, and Helpdesk. Each department has a manager, and one or more staff members.

You define a group for each department that comprises of its manager and staff members: sales-g, marketing-g, and helpdesk-g. Then, you also define a managers only group: managers-g.

It is normal that some departments need to share files among each other, but not with all departments. For instance, Sales needs to share a file with Marketing, but not with HelpDesk. To set that up using only the basic permissions, you can define yet more groups: sales-marketing-g, sales-marketing-managers-g, etc.

Alternatively, you can use ACL to assign permissions to individual group and user.

Before you can use ACL, you must explicitly turn it on for the partitions you want to have the ACL feature available.

As root, edit /etc/fstab. Find the partition that you want ACL enabled, and add the mount option acl.

/dev/mapper/star-home /home ext3 defaults,acl 0 2

Next, assuming that your partition is already mounted, then either reboot the system, or better yet, remount dynamically:

mount -o remount,acl /home

Next, you need to make sure that you have 2 ACL utilities installed: getfacl, and setfacl.

On a Debian system, install the utilities like this:

$ apt-get install acl

Note: eiciel is a GUI-based utility that can both get and set ACLs. It adds a new Access Control List tab to the Properties view in Nautilus. You can also run eiciel on its own, and edit the ACL of any file or directory.

Now, you are ready to tackle ACL.

Let's start simple: you have a file /home/peter/targets.txt that you want to share between sales-g, marketing-g, and an user named george.

Part 2 of this article describes how to define ACL for a directory. As you would expect, you can specify the read/write/execute permissions for any group or user on a directory. In addition, you can specify the DEFAULT permissions for any FILE created under this directory.

Saturday, December 8, 2007

File systems need to be mounted on Linux before you can access the data on them. You can specify mount options such as whether the file system is Read Only or Read/Write, and whether to support Access Control List, etc.

To see what file systems are currently mounted, where, and with what options, issue the mount command without arguments:

$ mount.../dev/hda5 on /home type ext3 (rw,acl)...

Recently, I wanted to tell the file system not to track the last access time (atime) of files under /home. I did not have any good use for the last access time. So, I opted to disable its tracking to reduce disk activity and save a few watts. This is accomplished through adding the mount option noatime.

To change the mount option for /home:

Edit /etc/fstab as root.

Add the option noatime to the line that corresponds to /home:

/dev/hda5 /home ext3 defaults,acl,noatime 0 2

To make the change effective, you can either reboot (to which you sneer) or you can remount /home.

To remount a file system, say /home, with new mount options at run-time, issue a command like this:

$ mount -o remount,noatime /home

There you have it. You can now feel good about saving a few watts, and be the hero in saving the environment.

Saturday, December 1, 2007

Mounting a USB flash drive in GNOME (or another Linux desktop environment) is as easy as plug and play. Yet, occasionally, you need to mount one on a server which does not run X, then you must know how to do it on the command line.